Contestants set up honeypots and spoof existing robocall-screening technologies.

On Thursday the Federal Trade Commission (FTC) announced the winners of a robocall-defeating contest that the commission held at DefCon in early August. Three groups of contestants each won $3,133.70, and two runners-up each won $1,337 (for being just that elite). The FTC says it receives 150,000 robocall complaints each month, down from 200,000 per month one year ago.

The contest was called “Zapping Rachel,” for the well-known scam in which a pre-recorded woman's voice tells an unsuspecting phone answerer, “Hi this is Rachel at cardholder services." The FTC separated the contestants into Creator, Attacker, and Detective categories—Creator entrants were asked to build a honeypot to lure robocallers, Detective entrants were given the honeypot data and asked to analyze it, and Attacker entrants were tasked with finding honeypot vulnerabilities. Contestants were given between 24 and 48 hours to submit their entries, depending on the category they entered.

For the Creator category, Jon Olawski, who is a software engineering director for an Internet marketing company by day, won the prize. He built a honeypot that used “an audio captcha filter, call detail analysis, and recording and transcription analysis” to automatically rate an incoming call as to whether it came from a robocaller or not. In an e-mail to Ars, Olawski described his idea as “a 10-point 'strike' system,” and if a caller hits a certain number of strikes, that number is known to be a robocaller and can be placed on a blacklist.

The Detective category winners included Yang Yang and Jens Fischer, who will share their $3,133 prize for honeypot data analysis. The algorithm they developed relied on “metrics such as the number of calls made, whether the number called was a toll-free number, and the time of the call to identify likely robocalls.”

The winning honeypot ideas are similar to two projects that won last year's $50,000 robocall contest from the FTC. In that contest, the two winners separately built systems to blacklist and whitelist incoming calls using a CAPTCHA-style test. One system created an option to disconnect phone calls that failed the test and were not coming from a white-listed number. One problem with these systems is that it's tough for an algorithm to tell legal robocalls from illegal robocalls. Robocalls are generally legal if they're from charities, political organizations, or pharmacies notifying customers that their prescriptions are ready.

More work to do

Jan Volzke, founder of a company called Numbercop, which tracks and blocks voice and text spam messages, won in the Attacker category. By acting as an illegal telemarketer for a day or two, Volzke hoped to point out the weaknesses in the FTC's winning honeypots. His system for circumventing a honeypot relied on “a four-step targeting process that screens out phone numbers potentially connected to a honeypot,” an FTC press release says.

Further Reading

Volzke, who works on this problem professionally, told Ars in a phone conversation that at DefCon, the FTC's focus was a bit too narrow.

“The FTC was very focused on robocalls, while what we are seeing in the threat landscape is that those guys have long connected text messages and callback numbers, and voice mechanism detection will only catch a very small percentage of the market because these attacks are connecting to mobile phones directly," he said.

If malicious callers avoid landline numbers, Volzke said they “reduce the number of numbers that [they] dial, but [their] response rate goes up.”

“There's one particular area that's really interesting,” he continued. “[Malicious telemarketers] send a text and include a callback number that leads to an automated recording.” Through that channel, the robocallers have more success getting personal information like credit card numbers and so forth. Volzke's company has recently collected a number of calls in which the scammer sends both a voice message and a text at the same time, which could lend the message (false) legitimacy for some.

Although the FTC is still focused on diminishing robocalling in general, Volzke says that it has to take a few proactive steps to truly reduce the plague of illegal telemarketing, starting by “applying honeypot analysis on live cellphone networks—these must be cellphones and not landlines.” Volzke told Ars that to catch robocallers, it's necessary to “spread out your honeypot across multiple networks; they can be computers with SIM cards—it doesn't need to be a physical device.” In addition, “on those cellphones you also need to check for text messages.”

Finally, the FTC needs to gather information from people being scammed worldwide. “These guys are acting internationally...we actually believe that this is not a large amount of people that are doing this, it's a handful of guys,” Volzke said, adding that it's also time for network carriers to chip in to diminish robocalls. “Law enforcement can only do so much."

"There are historic reasons” why carriers don't do much to stop robocallers, Volzke said. “For a long time carriers had a mandate to connect a call,” but with the changing mobile landscape, new agreements must be considered.